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Cloud delivery models - all at once! 

Cloud & Virtualization Adoption... on the rise 



Traditional 
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Virtual izated 
Enterprise 




Global Cloud Adoption - Moving fast... 
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* Gartner July 2010 - Cloud Hype Cycle 
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Market Growth in Cloud Computing 



Over 60% of enterprises plan to evaluate or pilot 
some type of cloud-enabled offerings within the 
next 18 months. However, enterprises continue to 
delay cloud adoption due to concerns surrounding 
data security, privacy and compliance 

(Gartner Hype Cycle for Cloud Computing, 2010, David 
Mitchell Smith, July 27, 2010) 



FIGURE 4: IN THE CLOUD STACK, WHICH SERVICES DOES/WILL THE COMPANY USE? 
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Server revenue in the public 
cloud category will grow 
from $582 million in 2009 to 
$718 million in 2014; Server 
revenue for the private cloud 
market will grow from $7.3 
billion to $11.8 billion 

(IDC, May 2010) 



SMB spending on cloud 
computing will approach 
$100 billion by 2014 

(AMI Partners, August 2010) 
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Asia-Pac & Cloud - Early Days... 



FIGURE 1 : ESTIMATED 2010 REGIONAL REVENUE BREAKDOWN FIGURE 2: CLOUD SERVICE REVENUES IN ASIA-PACIFIC, 2003-201 1 (SM) 
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Australia's Cloud Governance & Guidance 
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Cloud Computing Strategy -April 2011 
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Public 



Information and Services layers 



Citizen-facing services 



Citizen-driven i|jo ined-upj s 



Con:o iditec or shared! business processes, for 
example, Financial, HR, Budgeting, Procurernen 
content management, case management 

Custom applications/Packaged applications/e 
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Citizen Information 



Concerns individual citizens, covered by privacy and 
data protection (security! 
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Public Information 



Open .government data / mashups 
Collaborative tco s. e g. b ogs, w kis. data-gov.au 
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Technology 
[Infrastructure) 



Government websites and portals 
WebZ.D technologies |e.g. gmailj 
Discovery tools, for example Google Search 



IT and telecom tiu rotation infrastructu 
model 



Technology (process / 
storage capability j 



Process and analyse large datasets 
Use as a storage platform 
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Cloud Computing Security -April 2011 

a. availability of data and business functionality; 

b. protecting data from unauthorised access; and, 

c. handling security incidents. 
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Trust is THE issue! 



IT Security is stopping projects. Compliance/Audit has tons of 
questions. Cloud growth IS being limited. All the birds are dead. 



IT Security Group: The 

cloud isn't secure. I don't 

trust Providers. I don't know 

how to secure that thing! 
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Compliance Audit 

Group: Show me your 

security. Prove 

compliance in Clouds. 

Convince me! 
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Cloud Architectures 

Varying Levels of Abstraction and Data Ownership 



Application Presentation & 
APIs 



Application Engine 



Data Engine & Platform APIs 



Middleware 



Virtualization APIs 



Abstraction Layer & 
Hypervisor 



Hardware & Networking 



Power & HVAC 



Architecture 



They "do" it. 

(Good luck with that) 




Everyone does it 

(or really no one does it?) 




You do it. 
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Cloud Security Challenges 
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User ID and Access: Secure Authentication, Authorization, Logging 
Data Co-Mingling: Multi-tenant data mixing, leakage, ownership 
Application Vulnerabilities: Exposed vulnerabilities and response 
Insecure Application APIs: Application injection and tampering 
^T Data Leakage: isolating data 

Platform Vulnerabilities: Exposed vulnerabilities and response 
Insecure Platform APIs: Instance manipulation and tampering 
Data Location/ Residency: Geographic regulatory requirements 
Hypervisor Vulnerabilities: Virtualization vulnerabilities 
Data Retention: Secure deletion of data 
Application & Service Hijacking: Malicious application usage 
Privileged Users: Super-user abuse 
Service Outage: Availability 

Malicious Insider: Reconnaissance, manipulation, tampering 
Logging & Forensics: Incident response, liability limitation 
Perimeter/ Network Security: Secure isolation and access 
Physical Security: Direct tampering and theft 
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Fundamental Trust & Liability Issues 

• Data exposure in multi-tenant 
environments 

• Separation of duties from cloud 
provider insiders 

• Transfer of liability by cloud 
providers to data owners 

Fundamental New Cloud Risks 

• New hypervisor technologies 
and architectures 

• Redefine trust and attestation 
in cloud environments 

Regulatory Uncertainty in the Cloud 

• Regulations likely to require 
strong controls in the cloud 
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Trust & Hypervisors Challenge Us to Do Better 

And encryption hits trust and isolation head-on 













Pen-test, Web scanning, etc. 




Scan & Report 
Authentication/Authorization 


MFA, 1AM integration, 
entitlement management 
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Vulnerability Management 



App/DB/File Data Protection 



Patch Management 



Telemetry & Reporting 



Instance Authentication/ Authorization 



Instance Isolation 



Code review/scan, newlists, — 
developer ed., QA, etc. 

App/DB/File Encryption, 
DAM/FAM, Process, etc. 

Patch process, newslists, patch 
management 

New Technology Ground 

• Centered around Hypervisors 

• Or the associated trust boundary 

• Encryption the single greatest way to 
address isolation/ trust 

• Will also include building controls into 
CSP/Hypervisor tools 

VLANs, Firewalls, IPS, NAC, 
etc. 
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Regulations Will Impact Cloud 



Many regulations 



That often overlap 



Worldwide Compliance Requirements 




FCI Data Security Standard 

(WW) 

CASB1386.NV. MA(USA) 

HI PA A (USA] 

FDA 21 CFR Part 11 (USA) 

GLBAct(USA) 

SarbaneS-Oxley Act (USA) 

NERC/FERC (USA) 



Al PA (Italy) 

GDPdU and GoBS (Germany) 

NFZ 42-01 3 (France) 

EU Data Protection Directive 

Financial Services 

Authority (UK) 

UK Data Protection Act 

CoCo (UK) 

National ID 

SEPA 



• Electronic Ledger 
Storage Law [Japan) 

■ 11 MEDIS-DC (Japan) 
Japan PIP Act 

FISC (Japan) 

■ Korea DP 

• Taiwan DP 




HongKong 
Jr London 
fNew York 
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Let's take a quick look at PCI 



Number of times "cloud" is mentioned in PCI DSS 2.0 = 



2.2.1 Implement only one primary 
function per server to prevent functions 
that require different security levels 
from co existing on the same server. 

(For example, web servers, database 
servers, and DNS should be 
implemented on separate servers.) 

Wore: Where visualization technologies 
are in use, implement only one primary 
function per virtual system component 



2.2.1 .a For a sample of system components, verify that only one 
primary function is implemented per server. 



2.2. 1.b If virtu alization technologies are used, verify that only one 
primary function is implemented per virtual system component or 
device. 



Virtualization just made it into 2.0 

But we already know, Service Providers subject to PCI 
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The Truth- 



No w 



Bad News: Confusing Regulatory Landscape 

Shared responsibility model- but demarcation is gray 

SAS 70 inadequate for common use in evaluating cloud providers 

Formal transfer of liability highly likely written into your cloud 
contract 

You will have to have a detailed architecture and API conversation 
to assess your responsibility 
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XaaS know this, working hard to alleviate 
Cloud Security Alliance has Mapping Document 




So where do we go from here??? 




Focus on First Principles 
Spirit and intent of regulations 
Thoughtful data handling 

Sprinkled with the "New" Cloud 
Issues 

These are where regulations will 
focus 

Will be around the new area we 
discussed before: 

Trust and Ownership 

Hypervisors 
• Disclosure and Visibility 
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First Principles and Cloud Challenges 



Principle 



Limit use of <sensitive data> 

Use secure development practices 
VV Control access to <sensitive data> 

Encrypt <sensitive data> in transit 

jy Optional <sensitive data> encrypt at rest 

yy Keep <sensitive data> confidential 

yy Keep the integrity of <sensitive data> 

Enforce separation of duties of 
- <sensitive data> access and 
administration 

Vy Report and audit your controls for 
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Issues 



Big issue in SaaS, in your control for the most 
part in laaS and PaaS 

Issue in SaaS and PaaS 



Issues in all cases. Issues of user identification, 
authorization rights, privileged cloud user 

Most likely already addressed, but customer to 
cloud, intracloud communication can be an issue 

Huge issue in data sitting in the cloud, across all 
platforms. 

Main issue is guaranteeing the "trust" in data 
when you don't "trust" the cloud. 

Main issue is guaranteeing the "trust" in data 
when you don't "trust" the cloud. 

Fundemenal issue of cloud employee and cloud 
administrator access. Extends to both physical 
and logical security. Invokes separation of duties 
issues around all controls. 

Can you prove it to your auditor. 
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Emergence of Encryption as a Unifying Cloud 
Security Control 
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Encryption is a fundamental 
technology for realizing cloud 
security 

Isolate data in multi-tenant environments 
Recognized universally by analysts and experts 
and underlying control for cloud data 
Sets a high-water mark for demonstrating 
regulatory compliance adherence for data 

Moves from Data Center tactic to 
Cloud strategic solution 

Physical controls, underlying trust in processes, and 
isolation mitigated some use of encryption 
Mitigating trust factors that don't exist in the cloud. 
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How Encryption Solves Main Pain Points 




Limit use of <sensitive data> 

Use secure development practices 
Control access to <sensitive data> 

Encrypt <sensitive data> in transit 

Optional <sensitive data> encrypt at rest 

Keep <sensitive data> confidential 

Keep the integrity of <sensitive data> 

Enforce separation of duties of 
<sensitive data> access and 
administration 

Report and audit your controls for 



Big issue in SaaS, in your control for the most 
part in laaS and PaaS 

Issue in SaaS and PaaS 



Encryption enables authentication and authorization layer. 



X Most likely already addressed, but customer to 
cloud, intracloud communication can be an issue 



Encryption directly addresses many regulator requirements. Shows 
high standard of care. 



Encryption fundamentally isolates your data from other tenants in a 
share cloud environment, shields from unauthorized data breach. 



Encryption inherently provides for integrity controls. 



Encryption can add additional authentication and authorization layer 
for users and administrators. Customer owned encryption definitively 
shows separation from cloud. 



Encryption Key ownership is tangible proof to data ownership 
Encrypt/Decrypt actions become easy log and audit proofs. 




Encryption- Additional Upside 



"Lawful Order" to Cloud Provider for Data 





Issue: Cloud provider may turn over your data when another member of the cloud is 
under criminal investigation. Your data is now viewable to law enforcement. 
Resolution: Encrypted data unviewable by law enforcement. Law enforcement would 
have to work through legal channels, under which you have guaranteed rights, to get 
you to turn over decryption keys. 



Destruction of Cloud Data 



Issue: Is data in the cloud ever destroyed? Are you sure? 

Resolution: Encryption makes data unusable in the cloud. "Key shredding" virtually 

makes encrypted cloud data unrecoverable 



Physical Location Issues of Cloud Data 



Issue: Is cloud data now in new physical locations requiring new regulatory insight, or 
violates existing regulatory law? 

Resolution: Encrypted data can be moved anywhere in the cloud, but controlled 
decryption with proper key release policy can define what localities may use data. 
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Encryption Your Biggest Tool, Not Perfect 



Hypervisor 
Security 



Data could be exposed when running, even when encrypted. 

Is an issue you need to deal with no matter what 

Combination of vetting cloud provider controls of hypervisor security, deploying specific 

hypervisor tools (monitoring and integrity tools), and isolating data through encryption 



Instance 

Snapshotting 

and Storage 



Could store "running" instances, expose keys and cleartext 

An issue to discuss with your cloud provider 

Amazon AWS- has thought about this, and therefore only allows storing of AMIs in down 

state, thus eliminating problem 

• Not all cloud providers are as wise 



Proper Key 
Handling 



When you do encryption, is the key properly stored and handled? Many regulations give 

specific key handling requirements (security, state, rotation, etc.). 

If your cloud provider is doing encryption for you, huge issues in key ownership. If they 

maintain the keys, you lose almost all separation of duties and visibility controls. 

Key granularity an issue- some cloud providers use a single key for all their customers!!! 
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Protect the Data Where it Lives 




Data Protection should follow it 
through its lifecycle 

know what users, applications, or 
instances Access Data. 

Secure the Data Processing during the 
creation, analytic, aggregation, and 
modification of the data. 

Apply consistent data protection policy 
across any Data Store. 

Enforce data privacy controls while 
Sharing Data, with threat protections 
inherent in that sharing. 
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SafeNet Trusted Cloud Fabric 

Maintaining Trust and Control in Virtualized Environments 

Secure Virtual Sto rage Sec u re Ctou d Applications 
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Secure Virtual Machines 
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Secure Cloud-Based 
Id entltl es and Transactions 



Secure Clou d - Based 
Communications 
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On- premise 



SafeNet 



Additional Resources 

Cloud Security Alliance 

> Excellent 

> Vendor Neutral 

SafeNet Website ra 

www.safenet-inc.com/cloudsecurity 

> Videos 

> White Papers 

> Additional Resources 
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info security 



"Perm said that encryption is one of the best 
ways to secure corporate data in the cloud, 



"Penn said that encryption is one of the best 
ways to secure corporate data in the cloud, 
but "it has to be encryption that the company 
controls." 

"One of the vendors that offers encryption-based cloud security products to 
companies and government organizations is Maryland-based SafeNet." 




^ HPC 

in the Cloud 

>s^§flfeNet Makes Formal Foray into 
cloud Security Market with Launch 
of Trusted Cloud Fabric." 

"SafeNet, which has been around since 1993, 
formally made the jump today from on-premise 
security to cloud security with the introduction of a 
new framework designed to extend their 
established offerings into tfte cloud. Additionally, 
they have extended and refinecL^Jn^e of their 
existing services to fit into the pu&rte^cfciud realm 
via Amazon Web Services. 



TRUSTED 
CLOUD FABRIC 



"One of the biggest issues our customers are running across is around the 
concept of trust in the cloud", said Dean Ocampo, solutions strategy director 
SafeNet. "There isn't a lot of insight among customers in understanding what 
cloud providers are doing from a security perspective", he told Infosecurity. 



/TMpiet 



platform that comu has 

,„d idertltV f^erahon, hent . cat . on Manager 

(SAM) 8.0." 



*& 




SafeNet 



Questions? 



Visibility through Encryption 
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